Autor: Robert Jezierski (robert_at_xion.pl)
Data: Sat 01 Apr 2000 - 22:50:17 MET DST
Drogi Panie Jacku! Wczoraj rano dostałem mailem od Pana pliczek pod nazwą
"PrettyPark.exe" zaopatrzony w milusią ikonkę z buźką bohatera filmu "South
Park"... (rychło w czas, skoro film właśnie gości na ekranach kin!)
Zapewne stało się to bez Pana wiedzy! Zapewne także inni Pana korespondenci
dostali automatycznie tę "przesyłkę". Niestety jest to ROBAK (koń trojański)
który lubi się sam automatycznie rozsyłać w poczcie... "Małe info" na jego
temat:
"PrettyPark.Worm
Detected as: PrettyPark.Worm, W32.PrettyPark.C.Worm, W32.PrettyPark.D.Worm
Aliases: Trojan Horse, W32.PrettyPark, Trojan.PSW.CHV, CHV, W32/Pretty.worm.unp
Known Variants: W32.PrettyPark.C.Worm, W32.PrettyPark.D.Worm
Infection Length: 37,376; 17,081 (C variant); 60928 (D variant)
Area of Infection: C:\Windows\System, Registry, email attachments
Likelihood: Common
Detected as of: June 1, 1999; February 2, 2000 (C variant);
February 18, 2000 (D variant)
Characteristics: Worm, PrettyPark.EXE, Files32.VXD
Description
This worm program behaves similarly to Happy99 Worm. It was originally spread
by email spamming from a French email address. The original report of this worm
was submitted through our exclusive Scan&Deliver system on May 28, 1999 from
France.
When the attached program file, PrettyPark.exe, is executed, it may display the
3D pipe screen saver. It also creates a file called files32.vxd in the
Windows\System directory and modifies the following registry entry value from
"%1" %* to files32.vxd "%1" %* without your knowledge:
HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command
Once the worm program is executed, it tries to email itself automatically every
30 minutes (or 30 minutes after it is loaded) to email addresses registered in
your Internet address book.
It also tries to connect to an IRC server and join a specific IRC channel.
The worm sends information to IRC every 30 seconds to keep itself connected,
and to retrieve any commands from the IRC channel.
Via IRC, the author or distributor of the worm can obtain system information
including the computer name, product name, product identifier, product key,
registered owner, registered organization, system root path, version, version
number, ICQ identification numbers, ICQ nicknames, victim's email address,
and Dial Up Networking username and passwords.
In addition, being connected to IRC opens a security hole in which the client
can potentially be used to receive and execute files.
Repair Information
To remove the PrettyPark worm:
On the Windows taskbar, click Start > Run.
Type REGEDIT, then click OK.
Modify the following Registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ shell\open\command
and change
files32.vxd "%1" %*
to
"%1" %*
Delete the PrettyPark.exe file.
Restart your computer.
Delete the \Windows\System\Files32.vxd file.
POZDRAWIAM i życzę POWODZENIA w usuwaniu ROBALA ze swego systemu...
===================================================================
-- °+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+° °+˛˛+°+˛˛+° Robert Jezierski http://www.xion.pl robert_at_xion.pl +˛+°+˛˛+° °+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+° ˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+ScitEX, Plugs'n'PrePress+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛ +˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+˛˛+°+
To archiwum zostało wygenerowane przez hypermail 2.1.7 : Tue 18 May 2004 - 19:58:14 MET DST